PDA

View Full Version : Over 400 of the World's Most Popular Websites Record Your Every Keystroke



Aragorn
21st November 2017, 21:39
https://video-images.vice.com/articles/5a0f3227732e3d797af066e9/lede/1510945320663-shutterstock_217203820-7.jpeg




“Session replay scripts” can be used to log (and then playback) everything you typed or clicked on a website.




Source: Motherboard (https://motherboard.vice.com/en_us/article/59yexk/princeton-study-session-replay-scripts-tracking-you)



Most people who’ve spent time on the internet have some understanding that many websites log their visits and keep record of what pages they’ve looked at. When you search for a pair of shoes on a retailer’s site for example, it records that you were interested in them. The next day, you see an advertisement (https://www.godigitalmarketing.com/learn/blog/why-is-that-ad-following-me-around-the-internet-breaking-down-the-basics-of) for the same pair on Instagram or another social media site.

The idea of websites tracking users isn’t new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment (https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/) of a series titled “No Boundaries,” three researchers from Princeton’s Center for Information Technology Policy (https://citp.princeton.edu/) (CITP) explain how third-party scripts that run on many of the world’s most popular websites track your every keystroke and then send that information to a third-party server.

Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers’ findings. If you accidentally paste something into a form that was copied to your clipboard, it’s also recorded. Facebook users were outraged in 2013 when it was discovered (http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts _you_don_t_publish.html) that the social network was doing something similar with status updates—it recorded what users they typed, even if they never ended up posting it.

These scripts, or bits of code that websites run, are called “session replay” scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don’t just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don’t run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions.

It’s difficult for the user to understand what’s happening “unless you dug deep into the privacy policy,” Steve Englehardt (https://senglehardt.com/), one of the researchers behind the study, told me over the phone. “I’m just happy that users will be made aware of it."

In the video below, you can see what a session replay script from the company FullStory can record:




https://www.youtube.com/watch?v=l0Yc8s0DTZA




Most troubling is that the information session replay scripts collect can’t “reasonably be expected to be kept anonymous,” according to the researchers. Some of the companies that provide this software, like FullStory (https://web.archive.org/web/20170623160320/http://help.fullstory.com/develop-js/identify), design tracking scripts that even allow website owners to link the recordings they gather to a user’s real identity. On the backend, companies can see that a user is connected to a specific email or name. FullStory did not return a request for comment.

To conduct their study, Englehardt, Gunes Acar, and Arvind Narayanan looked at seven of the most popular session replay companies including FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and Russia’s most popular search engine Yandex (https://www.yandex.com/). They set up test pages and installed session replay scripts on them from six of the seven companies. Their findings indicated that at least one of these company’s scripts is being used by 482 of the world’s top 50,000 sites, according to their Alexa ranking (https://www.alexa.com/topsites).

Prominent companies who use the scripts include men’s retailer Bonobos.com, Walgreens.com, and the financial investment firm Fidelity.com. It’s also worth noting that 482 might be a low estimate. It’s likely that the scripts don’t record every user that visits a site, the researchers told me. So when they were testing, they likely did not detect some scripts because they were not activated. You can see all the popular websites that utilize session replay scripts documented by the researchers here (https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html).

Since the Princeton researchers released their research, both Bonobos and Walgreens said they would stop using session replay scripts. “We take the protection of our customers’ data very seriously and are investigating the claims made in the study that was published yesterday. As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory,” a spokesperson from Walgreens told me in an email last Thursday.

Bonobos did not return a request for comment, but the company told Wired (https://www.wired.com/story/the-dark-side-of-replay-sessions-that-record-your-every-move-online/) that it “eliminated data sharing with FullStory in order to evaluate our protocols and operations with respect to their service. We are continually assessing and strengthening systems and processes in order to protect our customers’ data."

Fidelity did not say it would stop using session replay scripts. “We don’t comment on relationship (sic) we have with vendors or companies but one of our highest priorities is the protection of customer information,” a spokesperson said in a statement.

Companies that sell replay scripts do offer a number of redaction tools that allow websites to exclude sensitive content from recordings, and some even explicitly forbid (https://web.archive.org/web/20171115050443/https://sessioncam.com/privacy-policy-cookies/) the collection of user data. Still, the use of session replay scripts by so many of the world’s most popular websites has serious privacy implications.

“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording,” the researchers wrote in their post.

Passwords are often accidentally included in recordings, despite that the scripts are designed to exclude them. The researchers found that other personal information was also often not redacted, or only redacted partially, at least with some of the scripts. Two of the companies, UserReplay and SessionCam, block all user inputs by default (they just track where users are clicking), which is a far safer approach.

It’s not just what users input that matters, however. When you log into a website, what’s displayed on the screen can also be sensitive. The researchers found that “none of the companies appear to provide automated redaction of displayed content by default; all displayed content ends up leaking.”

For example, the researchers tested Walgreens.com, which used to run a script from the company FullStory. Despite the fact that Walgreens does use a number of redaction features offered by FullStory, they found that information like medical conditions and prescriptions still are being collected by the session replay script, along with users’ real names.

Finally, the study’s authors are worried that session script companies could be vulnerable to targeted hacks, especially because they’re likely high-value targets. For example, many of these companies have dashboards where clients can playback the recordings they collect. But Yandex, Hotjar, and Smartlook’s dashboards run non-encrypted HTTP pages (https://motherboard.vice.com/en_us/article/xyg55z/google-chrome-shaming-http-unencrypted-websites-january), rather than much more secure, encrypted HTTPS pages.

“This allows an active man-in-the-middle to inject a script into the playback page and extract all of the recording data,” the study authors wrote.

In an emailed statement, a spokesperson for Yandex told me the company tries to use HTTPS wherever it can, and said it is going to update its product soon to no longer use HTTP. "HTTP is used intentionally, as session recordings load websites using iframe. Unfortunately, loading http content from https websites is prohibited on the browser level so http player is required to support http websites for this feature," the statement read.

A spokesperson for SmartLook said something similar in an emailed statement: "Our product team is already aware of this and they are already working on fixing the issue."

HotJar and UserReplay did not issue a statement in time for publication. Clicktale did not return a request for comment. SessionCam CEO Kevin Goodings wrote in a blog post (https://blog.sessioncam.com/sessioncam-and-privacy-why-you-dont-need-to-worry-about-session-replay-ce9cabbe52e2) that “Everyone at SessionCam can get behind the CITP’s conclusion: ‘Improving user experience is a critical task for publishers. However, it shouldn’t come at the expense of user privacy.’ The whole team at SessionCam lives these values every day. The privacy of your website visitors and the security of your data is of paramount importance to us.”

It’s not just session scripts that are following you around the internet. A study published earlier this year (https://motherboard.vice.com/en_us/article/padge9/nearly-half-of-the-most-popular-websites-use-the-same-software-to-track-you-around-the-internet) found that nearly half of the world’s 1,000 most popular websites use the same tracking software to monitor your behavior in various ways.

If you want to block session replay scripts, popular ad-blocking tool AdBlock Plus (https://adblockplus.org/) will now protect you against all of the ones documented in the Princeton study. AdBlock Plus formerly only protected against some, but has now been updated to block all as a result of the researchers’ work.


Source: Motherboard (https://motherboard.vice.com/en_us/article/59yexk/princeton-study-session-replay-scripts-tracking-you)

DMt.
21st November 2017, 22:30
Thanks, Aragorn. Waaaaay too many people still just don't get this.

Personally, I don't care any more; I'm old, and ill, and if paid goons kill me, they'll be doing me a favour by sending me back Home.

DMt.
21st November 2017, 23:05
Dear Aragorn/Modwiz, I would also like to [publicly] ask why The One Truth runs a policy of treating any response to a thread as a subscription?

I keep having to delete subscriptions to threads, over and over and over, because my email inbox is filled with undesired notifications.

This must also be very useful to the spooks, no...?

Aragorn
22nd November 2017, 00:01
Dear Aragorn/Modwiz, I would also like to [publicly] ask why The One Truth runs a policy of treating any response to a thread as a subscription?

I keep having to delete subscriptions to threads, over and over and over, because my email inbox is filled with undesired notifications.

This must also be very useful to the spooks, no...?

Um, first things first, our brother modwiz is not a staff member here at The One Truth. He is however a staff member at our sister forum, Eye-Rise. ;)

Secondly, you can either disable automatic thread subscription completely or choose a different type of notification in your account settings. Click here (https://jandeane81.com/profile.php?do=editoptions) and scroll down about one third of the page, to where it says "Messaging & Notification". The second item below that header is "Default Thread Subscription Mode".

There are several options you can choose from. The default is instant notification via email, but you can also opt to disable automatic subscription completely, or to have your notifications only show up here at the forum by way of the Notifications area, all the way at the top right on any page of our website, where you normally also get to see a notification when you've received a private message.

The reason why we've enabled automatic thread subscription is that too many people were posting on threads and then never even looking back at them, remaining completely oblivious about whether there had been any replies to their posts or not. So for new member registrations, we've enabled automatic thread subscription with instant notification via email as the default setting. It also comes in handy for when the member is not online at the forum when somebody replies to their posts. That way they'll get to see it in their email inbox. ;)

The above said, you can also manually subscribe to and/or unsubscribe from individual threads by scrolling up on a thread page and clicking on the "Thread Tools" menu, as shown in the image below. ;)



http://users.telenet.be/stryder/The_One_Truth/HowTo/How_to_subscribe_to_a_thread_in_vBulletin.jpeg


Lastly, you can view the list of threads that you are subscribed to — and manage your subscriptions — by clicking on the "Quick Links" menu underneath the Member List tab on the navigation bar and selecting the bottom option of the menu. ;)

DMt.
22nd November 2017, 00:47
Right. OK. I'll sort it.

In the morning.

*

It's still an iffy default behaviour, though.